Misdirected network traffic


C

Charles Lavin

Hi --

I have a Windows XP Pro SP3 box running Symantec's network antivirus program
(whatever they renamed it to, it's v11). The real-time AV protection module
detected an incoming virus and supposedly stopped it, although it was unable
to quarantine or delete the offending files in the temp folder. I was able
to remove those files from a safe mode command prompt, and a full virus
sweep of the machine came up clean.

However ...

Since this happened, this computer cannot resolve local host names. Any
local host it tries to access by name resolves to the same IP address in the
Netherlands. It doesn't seem to have problems with external names. But all
internal names resolve to that same IP address.

I checked the local DNS server (an SBS 2003 box) and there's nothing wrong
with it. No other PC on the LAN is having this problem. This PC doesn't have
anything screwy in its hosts file.

If I ping a local host name, the machine tries to ping this Dutch IP
address. However, on that same PC, an nslookup of the host name will return
the correct address.

I've blocked that IP address not only on the PC's local routing table but
also on the LAN's firewalls. But how do I clean this up on the PC?

Thanks,
CL
 
Ad

Advertisements

J

John Wunderlich

Charles Lavin said:
[...]
However ...

Since this happened, this computer cannot resolve local host
names. Any local host it tries to access by name resolves to the
same IP address in the Netherlands. It doesn't seem to have
problems with external names. But all internal names resolve to
that same IP address.

I checked the local DNS server (an SBS 2003 box) and there's
nothing wrong with it. No other PC on the LAN is having this
problem. This PC doesn't have anything screwy in its hosts file.

If I ping a local host name, the machine tries to ping this Dutch
IP address. However, on that same PC, an nslookup of the host name
will return the correct address.

Nslookup will *always* query a DNS Server (that's what the program
was written to do); however, when your computer normally tries to
resolve a name, it goes through a series of steps and the DNS server
is only 2nd or 3rd on the list. Number one on the list is the
'hosts' file, normally found in c:\windows\system32\drivers\etc
folder. Check that file (open with text editor / notepad) and see
if there are entries there that may divert your packets.

You might try to run the "hijackThis" program which is good at
uncovering nasties that can cause problems like you are seeing. The
drawback to this program is that is shows you *everything*, good and
bad and you need to be careful about what you fix. There are groups
that will analyze your hijackThis log (don't post it here).

<http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis>

HTH,
John
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top